Reviewed Changes

assets/scss/_styles_project.scss

@@ -323,3 +323,41 @@ details {
     overflow-y: auto;
   }
 }
+
+.faq {
+  margin-bottom: 10px;
+  padding: 10px;
+}
+
+.question {
+  font-weight: bold;
+  font-size: 1.2rem;
+  margin-bottom: 10px;
+}
+
+.answer {
+  font-size: 1rem;
+}
+.container {
+  margin: auto;
+  padding: 20px;
+}
+
+.columns {
+display: flex;
+align-items: flex-start;
+margin-bottom: 10px;
+}
+
+.is-2 {
+  flex: 0 0 16.67%; /* Equivalent to 2 out of 12 columns */
+  font-weight: bold;
+  color: #555;
+}
+
+.column-content {
+flex: 1;
+margin-left: 20px;
+}
+
+

content/en/Learn_More/_index.md

@@ -0,0 +1,4 @@
+---
+title: Learn More
+type: docs
+---

content/en/Learn_More/faq.md

@@ -0,0 +1,7 @@
+---
+title: Frequently asked questions
+type: docs
+weight: 5
+---
+
+{{< faq >}}

content/en/Learn_More/news.md

@@ -0,0 +1,8 @@
+---
+title: News
+description: Stay updated with our latest news and announcements.
+type: docs
+weight: 1
+---
+
+{{< news >}}

content/en/Learn_More/security-audit-23.md

@@ -0,0 +1,157 @@
+---
+title: Security Audit '23
+description: Explore our latest security audits and findings.
+type: docs
+weight: 3
+---
+
+We are excited to announce completion of a source code audit of the in-toto
+Python and Go implementations along with an architectural review of the
+specification. The audit was ordered by the Open Source Technology Improvement
+Fund (OSTIF) and conducted by X41 D-Sec GmbH over the course of three weeks in
+February 2023.
+
+## Motivation
+
+While in-toto has previously undergone a security review by the CNCF’s
+TAG-Security, it had not been formally audited thus far. The in-toto
+implementations are currently used in production and the Python reference
+implementation reached v1.0 maturity in late 2020. The Go implementation has
+been the experimental testbed for several new features including the in-toto
+Attestation Framework. We decided in our roadmap that it is time to release v1.0
+of the specification and to apply for graduation at the CNCF. To formally
+underline our confidence in the specification we initiated the in-toto audit.
+
+## Results and Resolutions
+
+In their final report the auditors acknowledged that the quality of the analyzed
+source code was very good, and presented eight issues they had identified both
+in the code and also in the overall design and architecture of the in-toto
+framework. Among these issues one was labeled as high-severity, four as
+medium-severity, and three as low-severity issues.
+
+In addition, several informational findings, not relevant to the security of the
+in-toto framework, were listed in the report. We created GitHub advisories for
+all security findings and GitHub issues for the informational findings
+([implementation](https://github.com/in-toto/in-toto/issues?q=label%3AX41),
+[specification](https://github.com/in-toto/docs/issues?q=label%3AX41)).
+
+It shall be noted that all security-relevant issues can be mitigated by a
+correct usage of in-toto, or by understanding its scope. In fact the issue
+marked high-severity was well known to us as a possible use pattern and had an
+issue open for several years.  Thus, our fixes consist, above all, of
+clarifications in the specification and usage documentation.  Below we give an
+overview of all security-relevant findings and our response to them. More
+comprehensive details can be found in the linked advisories and the
+[report](/2023-security-audit-report.pdf).
+
+### File Metadata Ignored (medium severity)
+
+Advisory: [GHSA-wqrg-wjp9-wqfq](https://github.com/in-toto/docs/security/advisories/GHSA-wqrg-wjp9-wqfq)
+
+in-toto does not verify the integrity of file metadata. This might allow
+attackers to provoke privilege escalation or degradation of the final product.
+
+in-toto is designed to protect the integrity of artifact contents and not their
+metadata. That said and as recommended by the auditors, supply chain owners are
+free to promote dedicated file container formats that include e.g. permissions
+as part of the file contents.
+
+### Configuration Read From Local Directory (medium severity)
+
+Advisory: [GHSA-wqrg-wjp9-wqfq](https://github.com/in-toto/in-toto/security/advisories/GHSA-wc64-c5rv-32pf)
+
+CVE: [CVE-2023-32076](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32076)
+
+The link generation tool of the reference implementation can be configured using
+RC files stored in directories following the XDG base directory specification.
+One of the options is via a hidden file in the directory in-toto is run. An
+attacker that controls the inputs to a step may compromise the link metadata and
+evade detection by including such a configuration with their materials in
+transit, which, e.g. filter certain artifacts from being recorded.
+
+This is a special case of  “Functionaries Do Not Perform Verification”, which is
+described below. Further, after conversations with in-toto adopters, we realized
+that while RC files are widely used by other systems, in-toto users typically
+set configurations using API parameters or CLI arguments. As such, we removed
+support for RC files from the reference implementation.
+
+### Layout Replay (low severity)
+
+Advisory: [GHSA-73jv-h86v-c2vh](https://github.com/in-toto/docs/security/advisories/GHSA-73jv-h86v-c2vh)
+
+It is possible for an attacker to replay an older, since-replaced layout that
+has not yet expired.
+
+We consider this out-of-scope for in-toto and have updated the specification to
+explicitly note this as a non-goal. That said,
+[ITE-2](https://github.com/in-toto/ITE/blob/master/ITE/2/README.adoc) and
+[ITE-3](https://github.com/in-toto/ITE/blob/master/ITE/3/README.adoc) are two
+“accepted” in-toto Enhancements that detail how
+[The Update Framework (TUF)](https://theupdateframework.io/) can be used in
+conjunction with in-toto to defend against layout replay attacks.
+
+### Link File Reuse (medium severity)
+
+Advisory: [GHSA-6q78-j78h-pqm2](https://github.com/in-toto/docs/security/advisories/GHSA-6q78-j78h-pqm2)
+
+Link metadata files are not inherently tied to a layout, which might allow an
+attacker to replay ​​steps by replacing link files with ones from an earlier
+version.
+
+This issue can be mitigated by using globally unique step names in a layout.
+However, this is not mandated by the specification as link metadata reuse, e.g.
+for different supply chains, or generating link metadata independently of any
+supply chain, are valid use cases. In addition, as described above ITE-2 and
+ITE-3 are designed to prevent unallowed metadata reuse.
+
+### Functionaries Do Not Perform Verification (high severity)
+
+Advisory: [GHSA-p86f-xmg6-9q4x](https://github.com/in-toto/docs/security/advisories/GHSA-p86f-xmg6-9q4x)
+
+An attacker, who controls the product in transit, may compromise the whole
+supply chain and stay undetected, by modifying only the product in transit, and
+in such a way that the product itself can compromise a subsequent functionary.
+
+Among several possible mitigations, the preferred method is to encourage
+functionaries to strictly separate link generation from operations on untrusted
+materials. This recommendation aligns with the SLSA Level 3 requirement for
+Provenance generation that
+["Provenance is Non-forgeable"](https://slsa.dev/spec/v1.0/requirements#provenance-non-forgeable)
+and can be applied without changes to the in-toto specification. Other
+solutions, including [new tooling](https://github.com/in-toto/in-toto/pull/589)
+we have added, can be found in the advisory.
+
+### Several PGP Issues (varying severity)
+
+Advisory: [GHSA-jjgp-whrp-gq8m](https://github.com/in-toto/in-toto/security/advisories/GHSA-jjgp-whrp-gq8m)
+
+PGP keys in the reference implementation are not validated when verifying
+metadata signatures. More specifically, in-toto does not check if the validity
+period is in the future (low severity), revocation signatures exist (medium
+severity), or the key has correct usage flags (low severity).
+
+The auditors recommend using GnuPG for signature verification. However, this is
+not desirable as in-toto is designed to allow verification in isolation of
+external resources. Instead, it is the responsibility of the supply chain owner
+to vet keys before promoting them as verification keys, and to revoke them using
+the mechanisms provided by in-toto if necessary.
+
+## In Closing
+
+The findings from this review strengthen the in-toto specification and
+implementations. Several of these issues were difficult to find without the
+perspective of an outside reviewer, and they serve as a catalyst for us to
+deliver in-toto improvements and new features more quickly. We are also pleased
+to note that none of the issues fundamentally weaken the in-toto framework.
+
+We knew going in that in-toto would not be a typical subject of a security
+audit, especially as it was also focused on the specification. We think X41 rose
+to the task admirably and identified several points where the framework’s
+behavior could detract from what’s expected. Their findings and the resulting
+updates improve in-toto’s usability and make the framework more secure by
+default.
+
+Finally, we are extremely grateful to X41 for conducting, to Open Source
+Technology Improvement Fund (OSTIF) for organizing, and to the Cloud Native
+Computing Foundation (CNCF) for funding this audit – thank you all!

content/en/_index.md

@@ -11,8 +11,8 @@ description: A framework to secure the integrity of software supply chains
 {{% param description %}}
 {.display-6}
 
-<a class="btn btn-lg btn-primary me-3" href="docs/spec/">Learn More</a>
-<a class="btn btn-lg btn-primary me-3" href="https://github.com/in-toto/demo">Try the demo</a>
+<a class="btn btn-lg btn-primary me-3" href="docs/what_is_in_toto/">Learn More</a>
+<a class="btn btn-lg btn-primary me-3" href="/docs/demo">Try the demo</a>
 <a class="btn btn-lg btn-primary" href="https://github.com/in-toto/friends">Explore integrations</a>
 {.p-initial .my-5}
 <div class="h3 mt-4">
@@ -27,11 +27,11 @@ description: A framework to secure the integrity of software supply chains
 
 {{% blocks/section color="dark" type="row" %}}
 
-{{% blocks/feature icon="fa-solid fa-lock" title="Software supply chain protection" url="/docs/what_is_in_toto" %}}
+{{% blocks/feature icon="fa-solid fa-lock" title="Software supply chain protection" url="/docs/system-overview" %}}
 **Supply chain compromises are becoming a frequent occurrence. in-toto can help you protect your software supply chain.**
 {{% /blocks/feature %}}
 
-{{% blocks/feature icon="fa-brands fa-github" title="Open, extensible standard" url="/docs/spec" %}}
+{{% blocks/feature icon="fa-solid fa-book" title="Open, extensible standard" url="/docs/spec" %}}
 **in-toto is an open metadata standard that you can implement in your software's supply chain toolchain.**
 {{% /blocks/feature %}}
 

data/faq.yaml

@@ -0,0 +1,12 @@
+- q: Why the name “in-toto”?
+  a: |
+    in-toto is Latin for "as a whole." We chose the name because our objective with in-toto is to build a system to protect the whole software supply chain.
+- q: What is the difference between in-toto and [The Update Framework](https://theupdateframework.github.io/) (TUF)?
+  a: |
+    TUF provides a framework that can be used to secure update systems, i.e. the "last mile," whereas in-toto lets you verify the whole software supply chain. TUF and in-toto can play together very well, as you can use TUF to deliver updates and their corresponding in-toto metadata.
+- q: Is Python 3 supported?
+  a: |
+    Yes, Python 3 is supported with in-toto.
+- q: Is there a timeline for the support of Python 2.7?
+  a: |
+    We have released the final version of in-toto, v1.0.1, that supports Python 2. Our next release, at the end of April 2021, will drop support for Python 2.

data/news.yaml

@@ -0,0 +1,87 @@
+- date: 2023-06-05
+  text: |
+    in-toto's specification reached v1.0! Find it [here](https://github.com/in-toto/docs/blob/v1.0/in-toto-spec.md).
+- date: 2022-03-10
+  text: |
+    in-toto has moved from the Cloud Native Computing Foundation (CNCF) Sandbox to the Incubator! Read the full announcement [here](https://www.cncf.io/blog/2022/03/10/supply-chain-security-project-in-toto-moves-to-the-cncf-incubator/).
+- date: 2021-09-11
+  text: |
+    Our Google Summer of Code 2021 intern Qijia "Joy" Liu shares her [story about the in-toto Rust implementation](https://coda.io/@joy/2021-gsoc-story)
+- date: 2021-06-08
+  text: |
+    The Google security team mentions in-toto in their blog article [Verifiable Supply Chain Metadata for Tekton](https://security.googleblog.com/2021/06/verifiable-supply-chain-metadata-for.html)
+- date: 2021-02-02
+  text: |
+    Peter Elkind and Jack Gillum published an article SolarWinds about [in-toto in ProPublica](https://www.propublica.org/article/solarwinds-cybersecurity-system)
+- date: 2020-12-15
+  text: |
+    Tech Xplore released an [article](https://techxplore.com/news/2020-12-free-tool-layer-software-chain.html) warning about software supply chain attacks and describing in-toto.
+- date: 2020-12-12
+  text: |
+    The Linux Foundation received support to help advance several projects, including [in-toto](https://www.linuxfoundation.org/press-release/2019/12/the-linux-foundations-automated-compliance-work-garners-new-funding-advances-tools-development/)!
+- date: 2020-10-07
+  text: |
+    Our Google Summer of Code 2020 intern Christian Rebischke shares his [story about the in-toto Go implementation](https://www.cncf.io/blog/2020/10/07/gsoc-spotlight-my-google-summer-of-code-experience-at-cncf-in-2020/)
+- date: 2019-10-14
+  text: |
+    Tobias Furuholm presented in-toto at the [CASTOR Software Days](https://castor-software-days-2019.github.io) and shared a [video recording](https://drive.google.com/file/d/1kvkZtYNtnVjh4xxp8aR1fURSKMeOHnkf) and his [slides](/slides/CASTOR_SW_Days_2019_-_Securing_Software_Supply_Chains_with_in-toto_-_Tobias_Furuholm.pdf) with us.
+- date: 2019-10-02
+  text: |
+    Adrian Colyer wrote an article about [in-toto in "the morning paper"](https://blog.acolyer.org/2019/10/02/in-toto/).
+- date: 2019-07-09
+  text: |
+    in-toto was featured in the blog post ["33(+) Kubernetes Security Tools"](https://sysdig.com/blog/33-kubernetes-security-tools/).
+- date: 2019-06-08
+  text: |
+    We demonstrated how reproducible builds can be verified on "apt install" using in-toto at [MiniDebConf Hamburg](https://wiki.debian.org/DebianEvents/de/2019/MiniDebConfHamburg). You can [watch it online](https://gemmei.ftp.acc.umu.se/Public/debian-meetings/2019/miniconf-hamburg/in-toto.webm).
+- date: 2019-06-03
+  text: |
+    Datadog has deployed TUF and in-toto into their pipeline! Read more [here](https://www.datadoghq.com/blog/engineering/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto).
+- date: 2019-06-01
+  text: |
+    Our paper "in-toto: providing farm-to-table security properties for bits and bytes" was accepted into USENIX '19. More information [here](https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias).
+- date: 2019-02-13
+  text: |
+    We've worked alongside with Control Plane to make a test deployment of [Kubesec](https://kubesec.io/) using in-toto.
+- date: 2019-01-07
+  text: |
+    We released the first version of the [official in-toto Jenkins plugin](https://plugins.jenkins.io/in-toto). This provenance Agent will help you track and sign link metadata for any step within your pipeline in a secure and distributed way.
+- date: 2018-10-19
+  text: |
+    [Colin Domoney gave a talk on this year's DevSecCon London](https://www.devseccon.com/london-2018/session/supply-chain-achilles-heel/). He covered some of the fundamentals of in-toto to protect your cloud native deployment, as well as some other good supply-chain security practices. 
+- date: 2018-05-29
+  text: |
+    [Pacman 5.1 has been released](http://allanmcrae.com/2018/05/pacman-5-1-dont-use-the-force-luke/)! This new version adds support for reproducible builds, and includes a security check for tampered [git tag metadata](https://lists.archlinux.org/pipermail/pacman-dev/2017-September/022123.html).
+- date: 2018-05-17
+  text: |
+    A [LWN](https://lwn.net/Articles/754443/) article has been published, covering various supply chain security issues and their solutions, including grafeas, the update framework, and in-toto. 
+- date: 2018-05-02
+  text: |
+    We presented in-toto along with Grafeas at [Kubecon 2018](https://kccnceu18.sched.com/event/Dqtx/completely-securing-the-software-supply-chain-using-grafeas-in-toto-lukas-puehringer-nyu-wendy-dembowski-google-any-skill-level-slides-attached?iframe=yes&w=100%&sidebar=yes&bg=no#).
+- date: 2018-04-12
+  text: |
+    Grafeas mentioned in-toto integration plans on the [Google Cloud platform blog](https://cloudplatform.googleblog.com/2018/04/exploring-container-security-digging-into-Grafeas-container-image-metadata.html).
+- date: 2018-03-03
+  text: |
+    Our le-git-imate paper on improving the security of web-based Git repositories has been accepted at [ASIACCS 2018](http://asiaccs2018.org/?page_id=632)!
+- date: 2019-02-20
+  text: |
+    We will present an integration of in-toto and [Grafeas](https://grafeas.io) at [KubeCon + CloudNativeCon Europe 2018](https://kccnceu18.sched.com/event/Dqtx/completely) on May 2 in Copenhagen, Denmark.
+- date: 2017-10-17
+  text: |
+    A fix to our git tag metadata tampering attack paper ([USENIX '16](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias)) has been included in the master branch of the pacman package manager and will be included in the next [release](https://git.archlinux.org/pacman.git/commit/?id=39319c1860d200a9b4a3cc2c6975e3cece502f2d).
+- date: 2017-08-10
+  text: |
+    Lukas presented in-toto at Debian's [Debconf 2017](https://debconf17.debconf.org/). You can watch the video of the talk [here](https://debconf17.debconf.org/talks/100/).
+- date: 2017-02-06
+  text: |
+    We presented a demo of in-toto at [Dockercon 2017](https://2017.dockercon.com). You can watch the video [here](https://www.youtube.com/watch?v=SNge7-t4JRE&index=34&list=PLkA60AVN3hh_nihZ1mh6cO3n-uMdF7UlV).
+- date: 2017-01-17
+  text: |
+    A fix to our git tag metadata tampering vulnerability was merged into git's master branch and will be available starting from [git v2.12](https://public-inbox.org/git/[email protected]/). You can read more about it in our [USENIX '16](https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/torres-arias) paper. 
+- date: 2016-10-14
+  text: |
+    We presented a demo of in-toto in the [Docker Distributed System Summit](https://blog.docker.com/2016/10/docker-distributed-system-summit-videos-podcast-episodes/). You can watch the video [here](https://youtu.be/Aryr0O6H_2U?t=25m58s).
+- date: 2016-10-07
+  text: |
+    We are live! please check back soon for more updates.

data/specs.yaml

@@ -0,0 +1,11 @@
+- version: in-toto Stable (v1.0)
+  url: https://github.com/in-toto/docs/blob/v1.0/in-toto-spec.md
+  description: This is a thoroughly-reviewed version of the specification (and probably what you're looking for).
+- version: in-toto Latest
+  url: https://github.com/in-toto/docs/blob/master/in-toto-spec.md
+  description: If you want to see the latest changes and possible features, click this.
+- version: in-toto Attestation Framework Stable (v1.0)
+  url: https://github.com/in-toto/attestation/tree/v1.0/
+  description: The in-toto Attestation Framework is developed independently of the in-toto specification. A future version of the in-toto specification will incorporate this framework as the mechanism to express software supply chain claims.
+- version: in-toto Attestation Framework Latest
+  description: If you want to see the latest changes to the in-toto Attestation Framework, click this.

hugo.yaml

@@ -21,11 +21,10 @@ imaging:
 
 menu:
   main:
-    - name: in-toto website
-      weight: 40
-      url: https://in-toto.io
-      post: <sup><i class="ps-1 fa-solid fa-up-right-from-square fa-xs"
-        aria-hidden="true"></i></sup>
+    - name: Learn More
+      weight: 50
+      url: /Learn_More
+
 
 languages:
   en: